diff --git a/policy-20090105.patch b/policy-20090105.patch
index 3acc136..58f63d3 100644
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@@ -729,17 +729,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.12/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-07 16:01:44.000000000 -0400
-@@ -3,6 +3,7 @@
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.fc 2009-04-19 15:52:53.000000000 -0400
+@@ -3,15 +3,12 @@
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+-
+-/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
- /usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
-@@ -11,7 +12,8 @@
-
/usr/sbin/system-install-packages -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-updatesd -- gen_context(system_u:object_r:rpm_exec_t,s0)
-
@@ -748,7 +749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
-@@ -21,14 +23,18 @@
+@@ -21,14 +18,18 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -1104,8 +1105,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.12/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-09 04:59:09.000000000 -0400
-@@ -31,6 +31,9 @@
++++ serefpolicy-3.6.12/policy/modules/admin/rpm.te 2009-04-19 15:57:21.000000000 -0400
+@@ -9,6 +9,8 @@
+ type rpm_t;
+ type rpm_exec_t;
+ init_system_domain(rpm_t, rpm_exec_t)
++#application_domain(rpm_t, rpm_exec_t)
++
+ domain_obj_id_change_exemption(rpm_t)
+ domain_role_change_exemption(rpm_t)
+ domain_system_change_exemption(rpm_t)
+@@ -31,6 +33,9 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
@@ -1115,7 +1125,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type rpm_script_t;
type rpm_script_exec_t;
domain_obj_id_change_exemption(rpm_script_t)
-@@ -52,8 +55,9 @@
+@@ -52,8 +57,9 @@
# rpm Local policy
#
@@ -1127,7 +1137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +72,8 @@
+@@ -68,6 +74,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -1136,7 +1146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +93,12 @@
+@@ -87,8 +95,12 @@
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -1149,7 +1159,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_all_executables(rpm_t)
-@@ -108,13 +118,16 @@
+@@ -108,13 +120,16 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -1166,7 +1176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mls_file_read_all_levels(rpm_t)
mls_file_write_all_levels(rpm_t)
-@@ -132,6 +145,8 @@
+@@ -132,6 +147,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -1175,7 +1185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +170,7 @@
+@@ -155,6 +172,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -1183,7 +1193,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +190,28 @@
+@@ -174,17 +192,28 @@
')
optional_policy(`
@@ -1213,7 +1223,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
ifdef(`TODO',`
-@@ -210,8 +237,8 @@
+@@ -210,8 +239,8 @@
# rpm-script Local policy
#
@@ -1224,7 +1234,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +249,15 @@
+@@ -222,12 +251,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -1240,7 +1250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +269,9 @@
+@@ -239,6 +271,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -1250,7 +1260,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +288,7 @@
+@@ -255,6 +290,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -1258,7 +1268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +306,19 @@
+@@ -272,14 +308,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -1278,7 +1288,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +330,7 @@
+@@ -291,6 +332,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -1286,7 +1296,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_domtrans_script(rpm_script_t)
-@@ -308,12 +348,15 @@
+@@ -308,12 +350,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -1302,7 +1312,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
-@@ -326,6 +369,10 @@
+@@ -326,6 +371,10 @@
')
optional_policy(`
@@ -1313,7 +1323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tzdata_domtrans(rpm_t)
tzdata_domtrans(rpm_script_t)
')
-@@ -333,6 +380,7 @@
+@@ -333,6 +382,7 @@
optional_policy(`
unconfined_domain(rpm_script_t)
unconfined_domtrans(rpm_script_t)
@@ -4676,7 +4686,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-17 07:21:07.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-19 15:53:09.000000000 -0400
@@ -32,6 +32,8 @@
#
# /etc
@@ -4695,7 +4705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
# /usr
#
-@@ -299,3 +303,14 @@
+@@ -299,3 +303,20 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4710,6 +4720,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:bin_t, s0)
+
+/usr/lib(64)?/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
++
++/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.12/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-01-05 15:39:38.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.if 2009-04-07 16:01:44.000000000 -0400
@@ -13382,6 +13398,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ polkit_read_reload(gnomeclock_t)
+')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.if serefpolicy-3.6.12/policy/modules/services/gpm.if
+--- nsaserefpolicy/policy/modules/services/gpm.if 2008-08-07 11:15:11.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/gpm.if 2009-04-20 08:24:22.000000000 -0400
+@@ -16,7 +16,7 @@
+ type gpmctl_t, gpm_t;
+ ')
+
+- allow $1 gpmctl_t:sock_file { getattr write };
++ allow $1 gpmctl_t:sock_file rw_sock_file_perms;
+ allow $1 gpm_t:unix_stream_socket connectto;
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.12/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/gpm.te 2009-04-07 16:01:44.000000000 -0400
@@ -13685,7 +13713,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-11 07:33:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-04-20 07:58:45.000000000 -0400
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -13745,16 +13773,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_search_nfs_state_data(hald_t)
')
-@@ -301,12 +327,16 @@
- virt_manage_images(hald_t)
+@@ -298,7 +324,11 @@
')
-+optional_policy(`
-+ xserver_read_pid(hald_t)
+ optional_policy(`
+- virt_manage_images(hald_t)
++ virtual_manage_image(hald_t)
+')
+
++optional_policy(`
++ xserver_read_pid(hald_t)
+ ')
+
########################################
- #
+@@ -306,7 +336,7 @@
# Hal acl local policy
#
@@ -17642,7 +17674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-04-20 07:42:10.000000000 -0400
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -17812,7 +17844,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -500,3 +558,23 @@
+@@ -500,3 +558,43 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -17836,6 +17868,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ domtrans_pattern($1, postfix_postdrop_exec_t, postfix_postdrop_t)
+')
+
++########################################
++##
++## Execute the master postdrop in the
++## postfix_postdrop domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++#
++interface(`postfix_run_postdrop',`
++ gen_require(`
++ type postfix_postdrop_t;
++ ')
++
++ postfix_domtrans_postdrop($1)
++ role $2 types postfix_postdrop_t;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400
@@ -22843,7 +22895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.12/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.if 2009-04-20 08:00:16.000000000 -0400
@@ -2,28 +2,6 @@
########################################
@@ -22896,7 +22948,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
')
-@@ -293,6 +272,41 @@
+@@ -272,11 +251,7 @@
+ ')
+
+ virt_search_lib($1)
+- allow $1 virt_image_t:dir list_dir_perms;
+- manage_dirs_pattern($1, virt_image_t, virt_image_t)
+- manage_files_pattern($1, virt_image_t, virt_image_t)
+- read_lnk_files_pattern($1, virt_image_t, virt_image_t)
+- rw_blk_files_pattern($1, virt_image_t, virt_image_t)
++ virtual_manage_image($1)
+
+ tunable_policy(`virt_use_nfs',`
+ fs_manage_nfs_dirs($1)
+@@ -293,6 +268,41 @@
########################################
##
@@ -22938,7 +23003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
## an virt environment
##
-@@ -327,3 +341,53 @@
+@@ -327,3 +337,53 @@
virt_manage_log($1)
')
@@ -22994,7 +23059,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-17 11:32:56.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-20 07:48:51.000000000 -0400
@@ -8,19 +8,24 @@
##
@@ -23067,7 +23132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { getsched sigkill signal execmem };
+allow virtd_t self:capability { chown dac_override ipc_lock kill mknod net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
-+allow virtd_t self:process { getsched sigkill signal execmem setexec setfscreate setsched };
++allow virtd_t self:process { getsched sigkill signal signull execmem setexec setfscreate setsched };
allow virtd_t self:fifo_file rw_file_perms;
allow virtd_t self:unix_stream_socket create_stream_socket_perms;
allow virtd_t self:tcp_socket create_stream_socket_perms;
@@ -25519,7 +25584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-17 11:41:15.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-19 15:52:00.000000000 -0400
@@ -17,6 +17,20 @@
##
gen_tunable(init_upstart,false)
@@ -25819,17 +25884,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +799,9 @@
+@@ -719,8 +797,6 @@
+ # bash tries ioctl for some reason
+ files_dontaudit_ioctl_all_pids(initrc_t)
- # why is this needed:
- rpm_manage_db(initrc_t)
-+ # Allow SELinux aware applications to request rpm_script_t execution
-+ rpm_transition_script(initrc_t)
-+
+- # why is this needed:
+- rpm_manage_db(initrc_t)
')
optional_policy(`
-@@ -733,10 +814,12 @@
+@@ -733,10 +809,12 @@
squid_manage_logs(initrc_t)
')
@@ -25842,7 +25906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +837,11 @@
+@@ -754,6 +832,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -25854,27 +25918,29 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
unconfined_domain(initrc_t)
-@@ -761,6 +849,8 @@
- # system-config-services causes avc messages that should be dontaudited
- unconfined_dontaudit_rw_pipes(daemon)
+@@ -765,6 +848,21 @@
+ optional_policy(`
+ mono_domtrans(initrc_t)
')
++
++ # why is this needed:
++ rpm_manage_db(initrc_t)
++ # Allow SELinux aware applications to request rpm_script_t execution
++ rpm_transition_script(initrc_t)
++')
++
++optional_policy(`
+ # sudo service restart causes this
+ unconfined_signull(daemon)
-
- optional_policy(`
- mono_domtrans(initrc_t)
-@@ -768,6 +858,10 @@
- ')
-
- optional_policy(`
-+ rpm_dontaudit_rw_pipes(daemon)
+')
+
++
+optional_policy(`
- vmware_read_system_config(initrc_t)
- vmware_append_system_config(initrc_t)
++ rpm_dontaudit_rw_pipes(daemon)
')
-@@ -790,3 +884,25 @@
+
+ optional_policy(`
+@@ -790,3 +888,25 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29161,7 +29227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-18 06:14:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/userdomain.if 2009-04-20 08:25:48.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -30146,7 +30212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -986,37 +1050,47 @@
+@@ -986,37 +1050,55 @@
')
')
@@ -30189,6 +30255,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ ')
+
+ optional_policy(`
++ gpm_stream_connect($1_usertype)
++ ')
++
++ optional_policy(`
+ java_role_template($1, $1_r, $1_t)
+ ')
+
@@ -30200,6 +30270,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ mount_run($1_t, $1_r)
+ ')
+
++ optional_policy(`
++ postfix_run_postdrop($1_t, $1_r)
++ ')
++
+ # Run pppd in pppd_t by default for user
+ optional_policy(`
+ ppp_run_cond($1_t, $1_r)
@@ -30208,7 +30282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
-@@ -1050,7 +1124,7 @@
+@@ -1050,7 +1132,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@@ -30217,7 +30291,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
-@@ -1059,8 +1133,7 @@
+@@ -1059,8 +1141,7 @@
#
# Inherit rules for ordinary users.
@@ -30227,7 +30301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
-@@ -1083,7 +1156,8 @@
+@@ -1083,7 +1164,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@@ -30237,7 +30311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1099,6 +1173,7 @@
+@@ -1099,6 +1181,7 @@
kernel_sigstop_unlabeled($1_t)
kernel_signull_unlabeled($1_t)
kernel_sigchld_unlabeled($1_t)
@@ -30245,7 +30319,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_bind_generic_port($1_t)
# allow setting up tunnels
-@@ -1106,8 +1181,6 @@
+@@ -1106,8 +1189,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -30254,7 +30328,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1235,6 @@
+@@ -1162,20 +1243,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30275,7 +30349,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1280,7 @@
+@@ -1221,6 +1288,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30283,7 +30357,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1346,15 @@
+@@ -1286,11 +1354,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -30299,7 +30373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1387,7 +1451,7 @@
+@@ -1387,7 +1459,7 @@
########################################
##
@@ -30308,7 +30382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -1420,6 +1484,14 @@
+@@ -1420,6 +1492,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -30323,7 +30397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1435,9 +1507,11 @@
+@@ -1435,9 +1515,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -30335,7 +30409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1494,6 +1568,25 @@
+@@ -1494,6 +1576,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -30361,7 +30435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
##
## Create directories in the home dir root with
-@@ -1568,6 +1661,8 @@
+@@ -1568,6 +1669,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -30370,7 +30444,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1643,6 +1738,7 @@
+@@ -1643,6 +1746,7 @@
type user_home_dir_t, user_home_t;
')
@@ -30378,7 +30452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,30 +1837,80 @@
+@@ -1741,30 +1845,80 @@
########################################
##
@@ -30441,7 +30515,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+interface(`userdom_dontaudit_delete_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
-+ ')
+ ')
+
+ allow $1 user_home_t:dir delete_file_perms;
+')
@@ -30461,7 +30535,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ gen_require(`
+ type user_home_dir_t;
+ attribute user_home_type;
- ')
++ ')
+
+ files_search_home($1)
+ exec_files_pattern($1, { user_home_dir_t user_home_type }, user_home_type)
@@ -30469,7 +30543,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -1787,6 +1933,46 @@
+@@ -1787,6 +1941,46 @@
########################################
##
@@ -30516,7 +30590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
##
-@@ -1799,6 +1985,7 @@
+@@ -1799,6 +1993,7 @@
interface(`userdom_manage_user_home_content_files',`
gen_require(`
type user_home_dir_t, user_home_t;
@@ -30524,7 +30598,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
manage_files_pattern($1, user_home_t, user_home_t)
-@@ -2328,7 +2515,7 @@
+@@ -2328,7 +2523,7 @@
########################################
##
@@ -30533,17 +30607,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
##
##
-@@ -2814,7 +3001,25 @@
+@@ -2814,12 +3009,12 @@
type user_tmp_t;
')
- allow $1 user_tmp_t:file write_file_perms;
+ write_files_pattern($1, user_tmp_t, user_tmp_t)
+ ')
+
+ ########################################
+ ##
+-## Do not audit attempts to use user ttys.
++## Delete all users files in /tmp
+ ##
+ ##
+ ##
+@@ -2827,17 +3022,17 @@
+ ##
+ ##
+ #
+-interface(`userdom_dontaudit_use_user_ttys',`
++interface(`userdom_delete_user_tmp_files',`
+ gen_require(`
+- type user_tty_device_t;
++ type user_tmp_t;
+ ')
+
+- dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
++ allow $1 user_tmp_t:file delete_file_perms;
+ ')
+
+ ########################################
+ ##
+-## Read the process state of all user domains.
++## Do not audit attempts to use user ttys.
+ ##
+ ##
+ ##
+@@ -2845,12 +3040,31 @@
+ ##
+ ##
+ #
+-interface(`userdom_read_all_users_state',`
++interface(`userdom_dontaudit_use_user_ttys',`
++ gen_require(`
++ type user_tty_device_t;
++ ')
++
++ dontaudit $1 user_tty_device_t:chr_file rw_file_perms;
+')
+
+########################################
+##
-+## Delete all users files in /tmp
++## Read the process state of all user domains.
+##
+##
+##
@@ -30551,16 +30667,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+##
+##
+#
-+interface(`userdom_delete_user_tmp_files',`
-+ gen_require(`
-+ type user_tmp_t;
-+ ')
-+
-+ allow $1 user_tmp_t:file delete_file_perms;
- ')
-
- ########################################
-@@ -2851,6 +3056,7 @@
++interface(`userdom_read_all_users_state',`
+ gen_require(`
+ attribute userdomain;
')
read_files_pattern($1,userdomain,userdomain)
@@ -30568,7 +30677,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
-@@ -2981,3 +3187,481 @@
+@@ -2981,3 +3195,481 @@
allow $1 userdomain:dbus send_msg;
')
@@ -31143,7 +31252,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# No application file contexts.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.if serefpolicy-3.6.12/policy/modules/system/virtual.if
--- nsaserefpolicy/policy/modules/system/virtual.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/virtual.if 2009-04-20 07:58:28.000000000 -0400
@@ -0,0 +1,114 @@
+## Virtual machine emulator and virtualizer
+
@@ -31453,7 +31562,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-07 16:01:44.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-04-20 07:59:14.000000000 -0400
@@ -6,6 +6,13 @@
# Declarations
#
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 333b624..480af22 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -446,6 +446,9 @@ exit 0
%endif
%changelog
+* Mon Apr 20 2009 Dan Walsh 3.6.12-9
+- Add ability to run postdrop from confined users
+
* Sat Apr 18 2009 Dan Walsh 3.6.12-8
- Fixes for podsleuth